Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Overview

overview

10

Static

static

6

bd2675c043...4e.apk

android-9-x86

10

bd2675c043...4e.apk

android-10-x64

10

bd2675c043...4e.apk

android-11-x64

10

Analysis

  • max time kernel
    146s
  • max time network
    162s
  • platform
    android_x64
  • resource
    android-x64-arm64-20240624-en
  • resource tags

    androidarch:armarch:arm64arch:x64arch:x86image:android-x64-arm64-20240624-enlocale:en-usos:android-11-x64system
  • submitted
    19/02/2025, 22:00

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    bd2675c04377f3e8667667fbd50dd0bcd0d7fe9bda3d5231801db22ec372fa4e.apk

  • Size

    4.8MB

  • MD5

    0e86fdc258c88445bd1f843534f17421

  • SHA1

    1e995aa079787feae50652cb522732313cedf4ab

  • SHA256

    bd2675c04377f3e8667667fbd50dd0bcd0d7fe9bda3d5231801db22ec372fa4e

  • SHA512

    f57ea3ceec0c3b5903f21fbce6cc1a44f6112c7206232f90fb9a18987d4452a99ab17239596b31c10f3348aac4fba46b0cefaafbe95d9e2a92e72c0df8cd82b8

  • SSDEEP

    98304:8gi+ZToesFQKBKgA9lr3jwzvXUNblCBiLzwiekCPWResOMHGkBAMNn:8+1rKB9A9F3jSv2blCoLzwwCPWReEHDt

Score
10/10
hookbankercollectioncredential_accessdefense_evasiondiscoveryevasionexecutionimpactinfostealerpersistencerattrojan

Malware Config

Extracted

Family

hook

C2

http://176.65.134.87

DES_key
AES_key

Signatures

  • Hook

    Hook is an Android malware that is based on Ermac with RAT capabilities.

    rattrojaninfostealerhook
  • Hook family
    hook
  • Loads dropped Dex/Jar 1 TTPs 2 IoCs

    Runs executable file dropped to the device during analysis.

    evasion
  • Makes use of the framework's Accessibility service 4 TTPs 3 IoCs

    Retrieves information displayed on the phone screen using AccessibilityService.

    collectiondefense_evasioncredential_access
  • Obtains sensitive information copied to the device clipboard 2 TTPs 1 IoCs

    Application may abuse the framework's APIs to obtain sensitive information copied to the device clipboard.

    collectioncredential_accessimpact
  • Queries a list of all the installed applications on the device (Might be used in an attempt to overlay legitimate apps) 1 TTPs
    bankerdiscovery
  • Queries information about running processes on the device 1 TTPs 1 IoCs

    Application may abuse the framework's APIs to collect information about running processes on the device.

    discovery
  • Queries the phone number (MSISDN for GSM devices) 1 TTPs
    discovery
  • Acquires the wake lock 1 IoCs
  • Makes use of the framework's foreground persistence service 1 TTPs 1 IoCs

    Application may abuse the framework's foreground service to continue running in the foreground.

    defense_evasionpersistence
  • Performs UI accessibility actions on behalf of the user 1 TTPs 5 IoCs

    Application may abuse the accessibility service to prevent their removal.

    evasion
  • Queries information about the current Wi-Fi connection 1 TTPs 1 IoCs

    Application may abuse the framework's APIs to collect information about the current Wi-Fi connection.

    discovery
  • Queries the mobile country code (MCC) 1 TTPs 1 IoCs
    discovery
  • Reads information about phone network operator. 1 TTPs
    discovery
  • Schedules tasks to execute at a specified time 1 TTPs 1 IoCs

    Application may abuse the framework's APIs to perform task scheduling for initial or recurring execution of malicious code.

    executionpersistence
  • Uses Crypto APIs (Might try to encrypt user data) 1 TTPs 1 IoCs
    impact
  • Checks CPU information 2 TTPs 1 IoCs
  • Checks memory information 2 TTPs 1 IoCs

Processes

  • com.bgvoerxoa.ttsdldwei
    1⤵
    • Loads dropped Dex/Jar
    • Makes use of the framework's Accessibility service
    • Obtains sensitive information copied to the device clipboard
    • Queries information about running processes on the device
    • Acquires the wake lock
    • Makes use of the framework's foreground persistence service
    • Performs UI accessibility actions on behalf of the user
    • Queries information about the current Wi-Fi connection
    • Queries the mobile country code (MCC)
    • Schedules tasks to execute at a specified time
    • Uses Crypto APIs (Might try to encrypt user data)
    • Checks CPU information
    • Checks memory information
    PID:4438

Network

MITRE ATT&CK Mobile v15

Initial Access

Execution

Scheduled Task/Job

1
T1603

Persistence

Foreground Persistence

1
T1541

Scheduled Task/Job

1
T1603

Privilege Escalation

Defense Evasion

Download New Code at Runtime

1
T1407

Foreground Persistence

1
T1541

Impair Defenses

1
T1629

Prevent Application Removal

1
T1629.001

Input Injection

1
T1516

Virtualization/Sandbox Evasion

2
T1633

System Checks

2
T1633.001

Credential Access

Clipboard Data

1
T1414

Input Capture

2
T1417

GUI Input Capture

1
T1417.002

Keylogging

1
T1417.001

Discovery

Process Discovery

1
T1424

Software Discovery

1
T1418

Security Software Discovery

1
T1418.001

System Information Discovery

2
T1426

System Network Configuration Discovery

3
T1422

System Network Connections Discovery

1
T1421

Lateral Movement

Collection

Clipboard Data

1
T1414

Input Capture

2
T1417

GUI Input Capture

1
T1417.002

Keylogging

1
T1417.001

Screen Capture

1
T1513

Command and Control

Exfiltration

Impact

Data Encrypted for Impact

1
T1471

Data Manipulation

1
T1641

Transmitted Data Manipulation

1
T1641.001

Input Injection

1
T1516

Replay Monitor

Loading Replay Monitor...

Downloads

  • /data/data/com.bgvoerxoa.ttsdldwei/app_dex/classes.dex
    Filesize

    2.9MB

    MD5

    5a26341f7ce27949a670f5aaf4a9b889

    SHA1

    7673183901800908935527427d1c3693e95cd337

    SHA256

    6af72c50b5d5bf39a1dd6aaa124639d809e791951c296dbc61832f8603f01088

    SHA512

    a922d6401c6f3152de270f89e0ecc09622d4d65c2d445aa960867c5c892baf3df0009c44825f3b8a1893aa49fcfbe295fb0181b63591959a3c3aeff1bc89b548

    Download Submit

  • /data/data/com.bgvoerxoa.ttsdldwei/cache/classes.dex
    Filesize

    1.0MB

    MD5

    bb3e92924fc1012526fb287851330207

    SHA1

    792e2320dc6f28f2cfa8a0485c62a09abb48fdc2

    SHA256

    3791107563a72efeb461f6b2e996d1ff31f846bb91a035b49f3469c6ce354ec1

    SHA512

    df6d47b2294b8c28b9a28266fce7bf16a60b929760493ab9e45975e4f4367f7a885455e4e9301556cadf5fd3d9a2659f48e21041c0c3ce3607c877e626d1cccd

    Download Submit

  • /data/data/com.bgvoerxoa.ttsdldwei/cache/classes.zip
    Filesize

    1.0MB

    MD5

    c2b97f49ef7b4ffa2a057b9fa9477d5d

    SHA1

    0b472940dd7c2218356e2ac1099560648a4f5d7c

    SHA256

    ed77d362f64513e7de7d816d28d8c23d34822253d922f713ad57ffd4d7cc7dc5

    SHA512

    2deef17edda3ee62fe2e67d6ef9c211a67364e818848dd6a847ebe79ff1fe26ef31eb42d9ad80f2c6c0db26c21fdc3f813cda2f3f1bab9637aa294c2c12d74f0

    Download Submit

  • /data/data/com.bgvoerxoa.ttsdldwei/no_backup/androidx.work.workdb
    Filesize

    4KB

    MD5

    7e858c4054eb00fcddc653a04e5cd1c6

    SHA1

    2e056bf31a8d78df136f02a62afeeca77f4faccf

    SHA256

    9010186c5c083155a45673017d1e31c2a178e63cc15a57bbffde4d1956a23dad

    SHA512

    d0c7a120940c8e637d5566ef179d01eff88a2c2650afda69ad2a46aad76533eaace192028bba3d60407b4e34a950e7560f95d9f9b8eebe361ef62897d88b30cb

    Download Submit

  • /data/data/com.bgvoerxoa.ttsdldwei/no_backup/androidx.work.workdb-journal
    Filesize

    512B

    MD5

    610c77da60f5f5fb0d4c2bd53bb61402

    SHA1

    ba66154ce2e661cd8da8d52485091e1986067a68

    SHA256

    bc79f17e0d997ffcd82c73742e6ad094b20e57879489bd639dff2bcb12bb3769

    SHA512

    45b8221487ba801cb92745b95897dff34bea26ac8635b194ea9a6fbac3c9ba24ccc2fb74573af7e8df5cdc5e8d152a50c88ff32b7d274a7df8983a906aaa6513

    Download Submit

  • /data/data/com.bgvoerxoa.ttsdldwei/no_backup/androidx.work.workdb-shm
    Filesize

    32KB

    MD5

    bb7df04e1b0a2570657527a7e108ae23

    SHA1

    5188431849b4613152fd7bdba6a3ff0a4fd6424b

    SHA256

    c35020473aed1b4642cd726cad727b63fff2824ad68cedd7ffb73c7cbd890479

    SHA512

    768007e06b0cd9e62d50f458b9435c6dda0a6d272f0b15550f97c478394b743331c3a9c9236e09ab5b9cb3b423b2320a5d66eb3c7068db9ea37891ca40e47012

    Download Submit

  • /data/data/com.bgvoerxoa.ttsdldwei/no_backup/androidx.work.workdb-wal
    Filesize

    16KB

    MD5

    b29058e901b248049d9a06a66acdff58

    SHA1

    6c3edc584d92baad2f25ad24b9f760f22c099f42

    SHA256

    299d2c7b228c855f32c9798e52155fdcbb422ddecc335dfd4ccfbafe49af516b

    SHA512

    28379243373a93070234aa4646b83fcb177a9b818a6bfcf169f5041ebaedfb7a6e4cc2db3212be78bc38adbb236fdbf248087a6334b560d4eba42d4a6820a3ed

    Download Submit

  • /data/data/com.bgvoerxoa.ttsdldwei/no_backup/androidx.work.workdb-wal
    Filesize

    108KB

    MD5

    5f1e3ac97219241e5878f9f86893db6b

    SHA1

    2020acdce5ca588bafacdb89a39e37b9cd73413a

    SHA256

    47636ef0b4fb77571b482c5d939ae5dcc4777ffaba590ada06a35a2e7208762e

    SHA512

    e0727a923a2ed14ae3fbe662ed684e864a2124faa2e5847f232150bca9e6957eeddddf8985758d64b625aec3ef9ea149f28cf1abeb7f34fb6521f701baa0ad18

    Download Submit

  • /data/data/com.bgvoerxoa.ttsdldwei/no_backup/androidx.work.workdb-wal
    Filesize

    173KB

    MD5

    35a6589182d07cd0b5c8a639b3f8fa84

    SHA1

    f9c5cfd74a59e3a10994433a1f701f8df1aef8d9

    SHA256

    04f06a5deb146b849abc6b10fcff6f7fdf7f8db816beb0064bc7142a903c0414

    SHA512

    a8e0475f92aa4dc9c8f97b646585a1736109d9d972762688de7bb905e33440e70c568bf21e6d24249c6712862a69a2f4a8e713902726d179ec1ac3fab38fcb14

    Download Submit